package com.junjiao.util.web.filter;

import java.io.IOException;
import java.util.Enumeration;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * <!-- sql注入以及js脚本过滤器 ，必须在UTF-8字符过滤器之后-->
	<filter>
		<filter-name>SQLInjectionFilter</filter-name>
		<filter-class>
			besttone.tour.destination.filter.SQLInjectionFilter
		</filter-class>
		<init-param>
			<param-name>forward</param-name>
			<param-value>/WEB-INF/pages/besttone/404/404.jsp</param-value>
		</init-param>
		<init-param>
			<param-name>sql</param-name>
			<!-- 注意sql相关的后面都有一个空格，javascript相关的后面都不要空格。 -->
			<param-value>
				exec |execute |insert |select |delete |update |declare |create |script|iframe|img|;|%|'|"|\'|\"|>|\>|(|)
			</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>SQLInjectionFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
 * @description:   <br>
 * @author:jiaojun
 * @email:junjiao.j@gmail.com
 * @project:汽车问答 zhidao.51auto.com
 * @version:v0.2
 * @date:2013-5-21
 */
public class SQLInjectionFilter implements Filter{
	
	protected Log log=LogFactory.getLog(getClass());
	
	private static String web_xml_url;
	
	private static String forward;
	
	 
	/**
	 * URL过滤,true为合法 false为非法
	 * @return
	 */
	public static boolean UrlFile(HttpServletRequest request)
	{
		
		//转义字符
		String web_xml[]=web_xml_url.split("\\|");
		StringBuffer str;
		String st[];
		StringBuffer keyName;
		Enumeration enu=request.getParameterNames();
	
		while(enu.hasMoreElements())
		{
			keyName=new StringBuffer((String)enu.nextElement());
			if(request.getParameter(keyName.toString())!=null)
			{
				str=new StringBuffer(request.getParameter(keyName.toString()));
				
				for(int i1=0;i1<web_xml.length;i1++)
				{
					
					if(str.toString().toLowerCase().lastIndexOf(web_xml[i1].toLowerCase())!=-1)
					{
						
						return false;
					}
				}
				
			}
			else if(request.getParameterValues(keyName.toString())!=null)
			{
				st=request.getParameterValues(keyName.toString());
				for(int i=0;i<st.length;i++)
				{
					for(int j=0;j<web_xml.length;j++)
					{
						if(st[i].toLowerCase().lastIndexOf(web_xml[j].toLowerCase())!=-1)
						{
							return false;
						}
					}
				}
				
			}
		}
		
		return true;
		
	}

	public void destroy() {
		
	}

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		
		
		boolean boo=SQLInjectionFilter.UrlFile((HttpServletRequest)request);
		
		
		if(!boo)
		{
			request.getRequestDispatcher(forward).forward(request, response);
		}
		else
		{  
			    chain.doFilter(request, response);	
		}
	}

	public void init(FilterConfig filterConfig) throws ServletException {
		this.web_xml_url=filterConfig.getInitParameter("sql");
		this.forward=filterConfig.getInitParameter("forward");
	}
//	public static boolean sql_inj(String str) 
//	 {
//	    String inj_str = "'|and|exec|execute|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,|like";
//	    String inj_stra[] = inj_str.split("|");
//	    for (int i=0 ; i < inj_stra.length ; i++ )
//	    {
//	        if (str.indexOf(inj_stra[i])>=0)
//	        {
//	            return true;
//	        }
//	    }
//	    return false;
//	 }

	public static String getWeb_xml_url() {
		
		return web_xml_url;
	}

	public static void setWeb_xml_url(String web_xml_url) {
		SQLInjectionFilter.web_xml_url = web_xml_url;
	}

	public static String getForward() {
		return forward;
	}

	public static void setForward(String forward) {
		SQLInjectionFilter.forward = forward;
	}

	

}
